Technical Field
This disclosure relates generally to computer security, and, more specifically, to authenticating a password associated with a user.
Description of the Related Art
Identity fraud can be accomplished in a number of ways. In one frequently-used method, an attacker seeks to duplicate the account name and password of a target. This method is computationally tedious and other methods are often preferred. In some of these methods, attackers provide minimal, and often easy-to-acquire, information such as home address, last digits of a credit card, and full name, in order to reset the password of an account. Once the password has been reset, the attacker may gain access to the account and may rapidly gain access to other accounts that are linked to the compromised account.
Most identity access management systems operate by classifying access attempts as more or less risky. A recent history of repeated attempts to access an account with the wrong password can lock an account. Multi-factor, multi-device authentication and one-time passwords provide additional levels of protection. However, these protections are focused on attacks that attempt to guess or steal passwords. As noted above, other attack vectors rely on links between accounts and differences in password reset policies. For example, a Facebook account may be used to gain access to a Google account or a call to a human service representative can trigger a password reset. These attack vectors exist because users often forget passwords and account names, and the semi-automatic mechanisms created to allow account access recovery provide security holes.